PT-2025-9139 · Syspass · Syspass

Name of the Vulnerable Software and Affected Versions: SysPass versions 3.2.x Description: A stored cross-site scripting XSS vulnerability allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a notification type or...

copyparty renders unsanitized filenames as HTML when user uploads empty files

Summary A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk. Details By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the...

CVE-2024-46226

A stored cross site scripting XSS vulnerability in HelpDeskZ v2.0.2 allows remote attackers to execute arbitrary JavaScript in the administration panel by including a malicious payload into the file name and upload file function when creating a new ticket...

CVE-2024-46226

A stored cross site scripting XSS vulnerability in HelpDeskZ v2.0.2 allows remote attackers to execute arbitrary JavaScript in the administration panel by including a malicious payload into the file name and upload file function when creating a new ticket...

CVE-2025-27145 copyparty renders unsanitized filenames as HTML when user uploads empty files

copyparty, a portable file server, has a DOM-based cross-site scripting vulnerability in versions prior to 1.16.15. The vulnerability is considered low-risk. By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execu...

Copyparty 安全漏洞

Copyparty is a portable file server for ed individual developers. A security vulnerability exists in Copyparty versions prior to 1.16.15. An attacker exploiting this vulnerability could execute arbitrary javascript with the same privileges as the user...

CVE-2025-1024

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to...

The vulnerability of the task and project management service WEEEK lies in the lack of measures taken to protect the website structure, allowing a perpetrator to execute arbitrary JavaScript code.

The vulnerability of the WEEEK task and project management service is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a remote attacker to execute arbitrary JavaScript code by loading an XML file...

BIT-DISCOURSE-2025-22602 Stored DOM-based XSS (without CSP) via video placeholders in Discourse

Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest...

CVE-2025-1024

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to...

Cross-site Scripting (XSS)

Vega and vega-selections are vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper function invocation due to the vlSelectionTuples function allowing attacker-controlled input to execute arbitrary JavaScript via Function, leading to potential code execution...

IBM Sterling B2B Integrator Cross-Site Scripting Vulnerability (CNVD-2025-04978)

IBM Sterling B2B Integrator is a suite of software from International Business Machines IBM that integrates critical B2B processes, transactions and relationships. The software supports secure integration of complex B2B processes with diverse partner communities. A cross-site scripting...

Exploit for Cross-site Scripting in Phpgurukul Student_Study_Center_Management_System

Published-CVE This repository contains descriptions and explo...

UBUNTU-CVE-2025-25304

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the vlSelectionTuples function, allowing the usage of Function with arbitrary JavaScript code. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious...

CVE-2025-25304

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...

GHSA-MP7W-MHCV-673J Vega allows Cross-site Scripting via the vlSelectionTuples function

Summary The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS. Details vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: vlSelectionTuplesdatum:, fields:getter:...

SUSE CVE-2024-49505

A Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the REGEX and P parameters. This issue affects MirrorCache before 1.083...

Cross-Site Scripting (XSS)

@nuxtjs/mdc is vulnerable to cross-site scripting XSS. The vulnerability is due to a deny-list approach in URL parsing that fails to properly filter encoded HTML entities, allowing an attacker to bypass security checks and execute arbitrary JavaScript...

NetVision Information ISOinsight 跨站脚本漏洞

NetVision Information ISOinsight is an operations and maintenance management platform from China's Zhengbang Information NetVision Information. A cross-site scripting vulnerability exists in NetVision Information ISOinsight. An attacker can exploit this vulnerability to execute arbitrary JavaScri...